Hackers Use Botnets To Search For Victims

Hackers are using botnets and specially crafted search queries called “Dorks” to identify vulnerable websites

Hackers are using botnets to generate more than 80,000 search queries a day, allowing them to identify potential attack targets in a very short time and with minimal effort.

According to security firm Imperva’s latest Hacker Intelligence report (pdf), special search terms known as “Dorks” are used to home in on potential attack targets. Dorks are search queries designed to return results that contain a certain code, enabling hackers to build up a list of vulnerable webpages. They are commonly exchanged between hackers in forums, such as the Google Hacking Database.

Automating queries on search engines using a botnet enables the attacker to get a filtered list of potentially exploitable sites very quickly. As searches are conducted using botnets, and not the hacker’s IP address, the attacker’s identity remains concealed.

“Hackers have become experts at using Google to create a map of hackable targets on the web,” said Imperva’s chief technology officer Amichai Shulman. “This cyber reconnaissance allows hackers to be more productive when it comes to targeting attacks which may lead to contaminated websites, data theft, data modification, or even a compromise of company servers.”

Using botnets to avoid detection

The problem with today’s search engines is that they deploy detection mechanisms which are based on the IP address of the originating request. This means that detection can easily be avoided using a botnet, which distributes the queries across different compromised machines.

Having created a list of potentially vulnerable resources, the attacker can launch a targeted attack designed to exploit vulnerabilities in pages retrieved by the search campaign. Such attacks might include infecting web applications, compromising corporate data or stealing sensitive personal information.

Imperva recommends that search engine providers should keep an eye out for unusual suspicious queries – such as those that are known to be part of public Dorks databases, or queries that look for known sensitive files.

However, organisations also need to be aware of the risks. Due to the thorough indexing of most corporate information – including web applications – the exposure of vulnerable applications is bound to occur, warns Imperva. Businesses can protect against exploits by deploying runtime application layer security controls, such as a web application firewall or reputation-based controls.

Botnet attacks

During May and June, Imperva observed a specific botnet attack that examined dozens of returned results using paging parameters in the query. Nearly 550,000 queries were requested during the observation period. The attacker was able to take advantage of the bandwidth available to the dozens of controlled hosts in the botnet to seek and examine vulnerable applications.

Earlier this year, researchers at Kaspersky Labs discovered an ‘indestructible’ botnet controlling more than 4.5 million computers, five percent of them in the UK, which it said presented “the most sophisticated threat today”.

Meanwhile, Microsoft announced in July that the infamous Rustock botnet had been nearly halved in size and was effectively crippled, demonstrating how tech companies can coordinate with law enforcement to take down malware distributing botnets.

Web-based marketing is widespread amongst companies of all sizes, at the same time, online advertising is undergoing significant changes. As a result, many web managers have become frustrated as previously successful Search Engine Optimisation (SEO) and online advertising techniques no longer generate the returns they used to in terms of increasing website visitors and conversion […]

In addition, people are still wary about doing business online. Trust and security should be core parts of your website strategy alongside design, hosting, SEO and marketing. Yet, companies often don’t pay enough attention to these factors with potentially disastrous consequences. This white paper lists six threats to your website and what you can do […]

Small and midmarket organizations depend on their data as much as large enterprises depend on theirs—but the right tools for protecting a smaller organization’s data are not enterprise tools with reduced feature sets and price tags. Organizations of all sizes need to understand their exposure caused by mediocre protection, and then utilize “right-sized” technologies that […]

You are likely faced with both increasingly demanding users and increasingly complex infrastructure requirements. At the same time, you are probably being asked to reduce IT costs without the help of added headcount. Are there times when this feels like an impossible mission?